The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

A wrapped-up Samsung Galaxy Nexus in a freezer, as a researcher measures its temperature.

If you lose possession of an Android phone, your PIN or pattern unlock might not be enough to protect the sensitive data stored on it. Not, at least, after it's spent an hour in a hacker's freezer.

A pair of researchers at Erlangen University in Germany have shown that a trick known as a "cold boot attack" can read data from a Samsung Galaxy Nexus running the latest version of Android, even when the phone is protected by a PIN and has its storage disk encrypted. They call their technique FROST, or Forensic Recovery of Scrambled Telephones. By simply cooling the phone to around five degrees Fahrenheit and quickly rebooting it, Tilo Mueller and Michael Spreitzenbarth found they could read data from its memory including images, emails and web browsing history, as well as the key that in some cases allows them to decrypt the phone's encrypted storage disk.

The attack, which was first shown on PCs in 2008 but has never before been applied to mobile devices, takes advantage of an effect known as the "remanence," the lingering information that remains for a few moments in a device's memory even when a power source has been removed. The colder the memory, the longer that information lingers. "RAM doesn’t lose its content immediately," says Mueller. "If it’s 30 degrees celsisus, it’s lost in one or two seconds. But if you cool the phone, the contents are lost in five or six seconds. That gives us enough time to reboot the phone and access the memory."

A screenshot of FROST in action.

The researchers found that in that cold state, they could quickly remove and replace the battery while holding the phone's power and volume buttons, which causes the phone to quickly reboot in "fastboot mode." The entire process takes less than half a second, they say, and allows them to offload the phone's RAM via USB while it still contains the cold, digital leftovers from before it was switched off.

Among the data stored in that RAM, the researchers found the key to the phone's encrypted storage disk, which in some cases might give them full access to the device. But that final step would only work in phones with an unlocked bootloader--In its latest version, Samsung locks the bootloader and automatically wipes the user partition if it's unlocked, preventing them from using the trick.

Even then, the researchers can access all data stored in RAM. Given that phones are rarely switched off, that often contains a significant cache of sensitive personal data, the researchers point out. They found they could recover fully intact address book contacts, thumbnail photos, and Wifi credentials, and partially recover calendar entries, emails, text messages, high-resolution photos, and Web history.

An example image of the Android logo in the device's memory over time at room temperature. The second image shows the state of the image at the earliest point where the researchers were able to extract it. The final image shows how it's deteriorated after six seconds.

Mueller says there are no easy defenses against the attack, other than turning a phone off before it's out of the owner's possession. Rebooting a phone more often may also leave less sensitive data in its memory. The researchers say they haven't yet tested the attack on other phones, but believe that it would likely be much more difficult on iOS.

A graph from the researchers' paper, showing the deterioration of data in memory (in percent of memory lost) over time (in seconds) at different temperatures. Click to enlarge.

In their still-unpublished paper on FROST, the two researchers intend their technique to serve as a warning for Android users and as a useful tool for law enforcement forensic analysts trying to recover data from a seized phone. "It reveals a significant security gap that users should be aware of," reads the paper. "Since smartphones are switched off only seldom, the severity of this gap is more concerning than on PCs. Second, we provide the recovery utility Frost which allows law enforcement to recover data from encrypted smartphones comfortably."